apache doc folder permissions problem

Bill Cole macportsusers-20171215 at billmail.scconsult.com
Fri Jun 18 18:39:52 UTC 2021 

On 2021-06-18 at 14:33:43 UTC-0400 (Fri, 18 Jun 2021 14:33:43 -0400)
Murray Eisenberg <murrayeisenberg at gmail.com>
is rumored to have said:

>> On 18 Jun2021, at 2:13 PM, Bill Cole 
>> <macportsusers-20171215 at billmail.scconsult.com> wrote:
>>
>> On 2021-06-18 at 10:17:13 UTC-0400 (Fri, 18 Jun 2021 10:17:13 -0400)
>> Murray Eisenberg <murrayeisenberg at gmail.com>
>> is rumored to have said:
>>
>>> Indeed,
>>>
>>> 	sudo chmod a+x /Users /Users/me /Users/me/Sites
>>>
>>> fixed the permissions access problem.
>>> ...
>>
>> The requirement is that the user running httpd must have search 
>> access on the whole tree above anywhere httpd is serving files from. 
>> The precise meaning of the 'search' permission (i.e. the 'execute' 
>> bit on a directory) is not intuitive or even well documented. It is 
>> simply the ability to access nodes within the directory based on 
>> those nodes' permissions, provided the caller knows the name of the 
>> item being accessed. Without search permission it simply does not 
>> matter what the permissions on items below the directory might be, 
>> they cannot be accessed. If you are concerned with other users (i.e. 
>> processes running as other users, such as 'daemon' which runs httpd 
>> under MacPorts) you can 'chmod a-r' on those directories to block 
>> reading of the directories themselves (i.e. the list of names of 
>> sub-nodes.)
>>
>> You can provide the search permission via the basic rwx by 
>> user/group/all mechanism or by extended ACLs, but you cannot create a 
>> deep space of access without a path from above….
>
> With macOS 11.4 at least, the command
>
> 	chmod a-r /Users
>
> and even
>
> 	sudo chmod a-r /Users
>
> gives error "chmod: Unable to change file mode on /Users: Operation 
> not permitted”.

Which indicates that Apple has decided to add /Users to the creeping 
expanse of files and directories behind the Iron Curtain of SIP. 
Consider yourself Protected.

> (By contrast, making the change for /Users/me and /Users/me/Sites is 
> OK.)

I guess they are waiting for OS 12 to lock those down...

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

More information about the macports-users mailing list